[55047] in North American Network Operators' Group
Re: New worm / port 1434?
daemon@ATHENA.MIT.EDU (Josh Richards)
Sat Jan 25 03:32:06 2003
Date: Fri, 24 Jan 2003 22:59:17 -0800
From: Josh Richards <jrichard@cubicle.net>
To: nanog@nanog.org
In-Reply-To: <20030125063229.GD58624@silverwraith.com>
Errors-To: owner-nanog-outgoing@merit.edu
* Avleen Vig <lists-nanog@silverwraith.com> [20030124 22:44]:
>
> It seems we have a new worm hitting Microsoft SQL server servers on port
> 1434.
A preliminary look at some of our NetFlow data shows a suspect ICMP payload
delivered to one of our downstream colo customer boxes followed by a
70 Mbit/s burst from them. The burst consisted of traffic to seemingly random
destinations on 1434/udp. This customer typically does about 0.250 Mbit/s
so this was a bit out of their profile. :-) Needless to say, we shut them
down per a suspected security incident. The ICMP came from 66.214.194.31
though that could quite easily be forged or just another compromised box.
We're seeing red to many networks all over the world though our network seems
to have quieted down a bit. Sounds like a DDoS in the works.
Anyone else able to corroborate/compare notes?
-jr
----
Josh Richards <jrichard@{ geekresearch.com, cubicle.net, digitalwest.net }>
Geek Research, LLC - Digital West Networks, Inc - San Luis Obispo, CA
KG6CYK - IP/Unix/telecom/knowledge/coffee/security/crypto/business/geek
